Spam has been sent from my email.
In my gmail inbox, sent folder I found "sexy Asian women" spam sent
Today I have changed password for gmail.

But I wonder, can this file give information to how this happend?

a) Attacker broke into my account? (No sign of login from strange place in gmail security page for account. I saw 30 days back. Only 4 spam mails where sent that are registert at my gmail account)

b) I see refernces to sendgrid.net and sendgrid.me US based IP. I have never used such service. I only use gmail.smtp. Is this some kind of spoofing where attacker had no access to my email account? But how can spoofed item be list as sent by google, in the sent folder?

Knowing only that you are a Gmail customer .... let's read the Email header together.

One of Gmail's mail transfer agent servers (generically, mx.google.com) received this Email from IP address 173.193.132.134, a server that resolved to o9.shared.sendgrid.net.

Everything under that could be fake, but a quick check of blacklists at mxtools.com shows that sendgrid.net is trustworthy at this time. Let us assume the next connection shown in the headers is real. The next MTA connection was from 50.21.180.110, which resolved to webcommezrc.com.

The next received does not look correct, however. It is apparently from 65.39.215.77, but it also refers to a loopback address, and "smoothstone.net" resolves to a different IP address. It's mail servers also do not resolve to that address. This part of the message is false. Nothing below it can be trusted.

webcommezrc.com is a domain through namecheap.com, and its contacts are privacy protected. You can contact the privacy company, but then contacting the domain owner that way is less likely to be effective than reaching out to the server's ISP: 1and1.com. I recommend contacting their abuse desk for assistance.

If you do not actually have this email in your "Sent" folder, it is unlikely to have originated from your account at all, it is just a random ID plugged into some spam to cause confusion. Successfully.

Every other mail there is "hidden@gmail.com" as sender.
The spam mail has "hidden@gmail.com via sendgrid.me" as the sender, in my "sent" folder.

Gmail has in help page about via:

I see "via" and a website name next to the sender's name

You'll see "via" and a website name next to the sender's name if the domain it was sent from doesn't match the domain in the "From:" address. For example, you got an email from john.smith@gmail.com, but it could've been sent through a social networking site and not Gmail.

You can't remove the "via" next to someone's name. Gmail shows this information so you're aware of where your messages are coming from.

If you notice that an email was sent via a program you don't recognize, the message might be spam.

If you are still concerned the account was compromised, consider contacting Google abuse / security. They may be able to search outbound logs to confirm if this was among them. But a backscatter bounce due to a spoofed address is far more likely.

a) No strange accivity repported at gmail secuirty page
b) jiggimi looking into it, and indicating bounnced, not hacked
c) If account where hacked, very modest attacker who only sent 4 mails for 24+ hours.
d) With full access to account, spam would look more legit coming from pure gmail.com domain, spammer used this "via"

Still to be on the safe side, these days, strong different password have been set for gmail and many other service I use, like this forum.

Edit - got around to reading the actual headers. gg rocket357. So sendgrid does indeed have dkim/SPF records (sendgrid.net's SPF includes sendgrid.biz, which has 173.193.132.0/23). Interesting. So sendgrid noticed it was a spoof, and bounced a return to the OP's inbox.

My DMARC configuration is set to "p=none" - rather than quarantine or reject. For two reasons: 1) the domain is a recent addition and I want to be sure SPF/DKIM are working correctly, and 2) the mail server is used to send to mailing lists mail every so often, as it is a personal server.

Mailing lists and DMARC do not go well together, and that includes @openbsd.org lists.

Just this morning, Google sent another consolidated DMARC report. The report said 1350 Emails processed. Now, I do not know how many of those may be spoofs, because because the server sent two Emails to an @openbsd.org mailing list in the prior 24 hours, and two Emails to a @gmail.com user. My hope is the majority of the 1350 are valid.

Last edited by jggimi; 2nd February 2017 at 02:22 PM.
Reason: grammar, etc., and a correction, and then later realizing that I misinterpreted rocket357's question